Configurations

The section will have details about configurations to be done for different components of HyWorks for session recording and management.

Session Recording Management Server (SRMS) Configurations

As briefly used in overview section, SRMS services are used to list recordings, stream recordings and also gets the recordings uploaded from desktop machines.

Before moving to other sections, it is important to configure SRMS correctly.

Installing SRMS Server

Detailed information on SRMS server installation can be found in section SRMS Installation

Configure SRMS Details on HyWorks Management Console

• Make sure SRMS installed on server before configuring SRMS into HyWorks management console.

  • On HyWorks Controller Management Console > Go to Settings > General > Advance Settings.

  • Type SRMS into Tags Filter control.

  • Configure following endpoints

    • SRMS listing endpoints - LISTING API Endpoint URL of Session Recording Management Server with port. Localhost must be replaced by IP address of SRMS. By default its value is https://localhost:38892.

    • SRMS streaming endpoints - STREAMING API Endpoint URL of Session Recording Management Server with port. Localhost must be replaced by IP address of SRMS. By default its value is https://localhost:38893.

    • SRMS aggregator endpoints - AGGREGATOR API Endpoint URL of Session Recording Management Server with port. Localhost must be replaced by IP address of SRMS. By default its value is https://localhost:38893.

Note

• SRMS status from HyWorks Controller can be checked by using the API - https://localhost:38892/healthcheck, here localhost to be replaced with SRMS server address.
• Streaming service status can be checked using API - https://localhost:38893/healthcheck, here localhost to be replaced with SRMS server address.

Certificate configuration on SRMS

It is required to have a valid certificate installed on SRMS to play the recording files. Follow the steps provided below to configure certificate on SRMS:

1. Import Certificate into Personal/Local Machine: SRMS services try to locate certificate in "Local Machine > Personal" store with the subject name specified in appsettings.json file of respective service. Thus, the obtained CA certificate needs to be placed at the location Local Machine and store Personal using following steps:

   1. Connect to SRMS server with user credentials having local administrator privileges

   2. From the Windows Start menu, click Start > Run and enter mmc to open the Microsoft Management Console.

   3. Click File > Add/Remove Snap-in from the Microsoft Management Console.

   4. Click Add.

   5. Select Certificates and click Add.

   6. Select location as "Computer Account > Local Computer" and click Finish. Click OK.

   7. Right-click Personal under Certificates > select All Tasks > Import. Click Next.

   8. Click Browse and select the .pfx file that contains your certificate information. Click Next.

   9. Enter the password for the private key and select the option Mark this key as exportable. Click Next.

   10. Configure the screen as required and click Next.

   11. Click Finish on the final screen of the Certificate Import Wizard.

   12. A success message should be shown.

2. Remove any other certificate which is existing under personal folder in local machine account, e.g. if the CA certificate imported is with subject as "hwsrms" make sure no certificate with subject having hwsrms2 or hwsrms1 or hwsrms is present in the personal store.

   1. Please know on installation, SRMS server creates a root CA and another one with hostname and these must be needed to be removed while importing CA cert, as having more than one certificate matching the criteria, recording services may pick certificate randomly.

   Note

   • In any case if SRMS services are not able to locate certificate, they fail to start and thus administrator should import certificate and update appsettings.json files carefully.

3. Configuring SRMS Services:

   1. Open appsettings file available at "C:\Program Files (x86)\Accops\HyWorks\SessionRecordingManager\SessionRecordingManager\appsettings.json"

   2. Under Certificate, Subject should be matching to the certificate name (provide starting 5 characters which should match with the hostname as well as certificate name), Store should be "My" and Location should be "LocalMachine".

   3. Similarly change the appsettings file at "C:\Program Files (x86)\Accops\HyWorks\SessionRecordingManager\SessionRecordingAggregator\appsettings.json" and repeat step# 2.

   4. Open Services and Restart "Accops HyWorks Session Recording Aggregator" and "Accops HyWorks Session Recording Manager" services.

4. Verify if certificate is applied and being used:

   1. Try to open browser from system, where exception for SRMS server is not added. Attempt to list and play the recordings from HyWorks Controller Management Console. With appropriate certificate applied, there should not be any issues in listing and playing recordings.

Certificate Configurations for SRMS HA

Note

Wild card certificate is currently not supported and thus following alternate method can be used for applying certificate on multiple SRMS servers running behind load balancer for high-availability and load balancing.

1. Obtain a certificate whose subject matches with all the servers hosting SRMS servers e.g., if having two SRMS servers as hwsrms1.demo.local and hwsrms2.demo.local. then a certificate with subject hwsrms can be obtained.

2. Apply the certificate on both SRMS servers using steps mentioned in above section and specifying Subject in appsettings.json which can match in both servers e.g., hwsrms.

3. Load balancer configuration: It should host two virtual services:

   1. Streaming Virtual Service on port 38893, having actual SRMS streaming services on port 38893.

   2. Listing Virtual Service on port 38892, having actual SRMS listing services on port 38892.

4. Controller configuration will be as follows:

   1. On Controller server > Create a host entry as .

      1. On Controller, host entry to be provided, which should be IP of Virtual Service for streaming endpoint and subject of certificate. e.g of LB is configured with virtual service on 172.26.5.111, then host entry will be "172.26.5.111 hwsrms1.accops.dev".

      2. Same entry should be configured on DNS server, so that whenever streaming is attempted on hwsrms1.accops.dev it is taking to SRMS server via LB virtual service IP:port

   2. Management Console > Settings > General > Advance Settings:

      1. SRMS streaming endpoints: Subject of cert, resolving to streaming virtual service LB IP. The streaming endpoint should be provided as per the certificate subject and as both hosts are having same cert, on connecting to any of SRMS, the server will present the same certificate.

      2. SRMS aggregator endpoints: Same as streaming virtual service IP of LB with port 38893. Please know if this is being configured as certificate subject, it must be resolved on all the DVMs. As aggregator endpoint is used by DVMs to upload the recordings.

      3. SRMS listing endpoints: Listing virtual service IP of LB with port 38892.

      4. Save and update HyWorks Controller Advance Configurations.

5. Login from client with valid user credentials, let the recording run for sometime in desktop or application sessions. Disconnect or logout the session.

6. Wait for sometime to let the recording be uploaded as per upload configurations and then try to list and play from HyWorks Controller Management Console for verification of above configuration.

Note

• Signed trusted certificate is required on SRMS to play recording.

• If SRMS listing endpoints is not configured on HyWorks Controller, then recording list will not be displayed in Recording View.

• If SRMS streaming endpoints is not configured correctly then recording will not be played.

• If logged-in user does not have rights to view recordings, then the page will display warning.

  • HyWorks super administrator(s) have permissions to view list of recordings but can not play recordings. The Play button will be shown as disabled for user.

Viewing and Playing Recordings with No Signed Certificate Installed on SRMS Server

For listing and playing recording files from HyWorks Management console, appropriate certificate must be applied and HyWorks controller must be configured with appropriate streaming endpoints. However, if certificate configuration is not completed and administrator still wants to verify the successful playing of the recording, following steps can be used:

Note

This is not a recommended configuration or process but to workaround for immediate verification in case when certificate is not available.

1. Assuming HyWorks Controller is having all required configurations of recording services and there are valid recordings available for verification.

2. Open browser and open HyWorks Controller Management Console, login with appropriate user credentials having recording auditor role assigned.

3. Go to Monitoring > Session Recordings. Verify if recordings are listed.

4. In the next browser tab, open the following URL: https://:38893/healthcheck. E.g., if SRMS server configured on IP 172.23.11.48, then admin can try navigating https://172.23.11.48:38893/healthcheck.

   1. When the warning page suggesting invalid certification authority, click on Advanced button and click on "Proceed to (unsafe)".

5. Return back to the recording and try to play recording. This should work now.

Configurations in SRMS Services

With SRMS, following modules are installed on Windows server:

• SRMS Aggregator Service
• SRMS Manager Service
• AutoClean Task(Optional)

Each SRMS module has a config file called appsettings.json, which can be used for configuring following parameters:

Parameter	Aggregator	Manager	AutoClean
srmconfig	Yes	Yes	Yes
AutoCleanConfig	No	No	Yes
UploadBasePath	Yes	No	Yes
AutoCleanupLockTimeOutInMins	No	No	Yes
ControllerInfo	Yes	Yes	Yes
edcMQ	Yes	Yes	Yes

1. AutoCleanConfig: It contains "PageSize" and "CleanUpRecordingsAfterNoOfDays". Page size represents the number of recordings to be deleted at a time and CleanUpRecordingsAfterNoOfDays is the number of days after which the recordings will be cleaned/deleted. Default values of are 100 and 120 days respectively.

   1. PageSize

      • Number of recordings to be deleted at a time.

      • The default value is 100

   2. CleanUpRecordingsAfterNoOfDays

      • Recordings older than this counter will be deleted.

      • The default value is 120

   Note

   • These details are captured during SRMS installation and should be modified from appsettings.json file, if some configurations have changed.

2. UploadBasePath: The path, where recordings will be uploaded.

   • If the given path is remote path, then the services and the task should run in the user context.

3. AutoCleanupLockTimeOutInMins: In case of multiple nodes of SRMS server, more than one AutoClean tasks with try to clean the recordings from the same remote location, so when one task from a node is cleaning on the location another task will wait before trying again. This wait time is 'AutoCleanupLockTimeOutInMins' in minutes.

4. ControllerInfo: It contains following details, which can be updated. Service restart is required to apply the changes

   1. PrimaryControllerIP

   2. PrimaryControllerPort

   3. SecondaryControllerIP(optional)

   4. SecondaryControllerPort(optional)

   Note

   • These details are captured during SRMS installation and should be modified from appsettings.json file, if some configurations have changed.

5. edcMQ: It contains AccopsMQ details, where controller is also pushing HA status of the cluster and SRMS services will use this configuration to locate appropriate controller (primary) to connect.

   • HostName

   • Port

   • Username

   • Password

   • ExchangeName

   Note

   • These details are captured during SRMS installation and should be modified from appsettings.json file, if some configurations have changed.

Using Network Location for Uploading Session Recordings

SRMS configuration saves the recordings locally on server by default, but this can be changed to have a better solution, where recordings will be uploaded on network location. To achieve the purpose following configurations should be done:

1. Save user credentials on SRMS server having read/write permission on network path

2. Run SRMS Services with User Credentials having read/write permission on network path

Add credentials to credential manager

• Connect to SRMS server with user having local administrator rights on SRMS server (User can be local admin or domain user with admin privileges on the server) for e.g., User 1.

• Locate Credential Manager on SRMS server > Go to Windows Credentials section > select option Add a Windows credential

  • Provide network address and network credentials (user having read and write permissions on given network location) for e.g., User 2.

• Update the new recording location in following configurations files:

  • C:\Program Files (x86)\Accops\HyWorks\SessionRecordingManager\SessionRecordingAggregator\appsettings.json

  • C:\Program Files (x86)\Accops\HyWorks\SessionRecordingManager\SessionRecordingAutoClean\appsettings.json

  Note

  • The location information uses double backslashes instead of one e.g., \myrecording-server\recording-location will be specified as \\myrecording-server\recording-location.

• Following recording services must be running in the context of the same user credentials (User 1 here in example), in which the user credentials of user 2 having permissions to the network location is saved.

  • EDCSessionRecordingAggregator service

  • EDCAutoClean task in task scheduler

Changing context of Services and Task

1. To change context of services as needed for EDCSessionRecordingAggregator service in above section, follow the given steps:

   1. Open Services app

   2. Locate the service (EDCSessionRecordingAggregator in this case) and right-click on it

   3. Go to Properties > Log On

   4. Select 'This account' in Log on as and enter the credentials. The user must have "Logon as a service" right, refer this article for detailed instructions to provide the right.

   5. Then click Apply and Ok.

   6. Service restart will be needed.

2. To change context of the scheduler task, follow the given steps:

   1. Open Task Scheduler

   2. Select the task from the task scheduler library

   3. Right-click on it and select properties

   4. In General > Security Options click on Change User or Group

   5. Add the user and click ok, enter the credentials

Recording profile assignment to Connection Profile

The section is not only intended to provide details of process for assigning a recording profile to connection profile, but also provides information on the overall mechanism to enable or disable session recording.

In latest HyWorks Controller Connection Profiles are having option to specify Session Recording Profile in Additional settings tab and its default value is none (suggesting no recording profile applied.).

• With Recording Profile as None, the sessions will not be recorded

• With specified recording profile, all sessions will be recorded, where the profile is getting applied.

  • Application/ Desktop Pool Profile failover model gets applied to recording profiles as well.

Steps to configure Session Recording Profile in Connection Profile:

1. Go to Policies > Profiles > Connection Profiles

2. Select connection profile and click on Add/Edit

3. Once wizard get open then go to last tab which name is Additional settings

4. Find Session Recording Profile dropdown and select session recording profile.

5. Perform save connection profile operation.

Note

• Session Recording profile assignment with Connection profile needs to be done, without assignment session recording can't start.

Session Recording Auditor Role Permission

Session recordings can only be played by management console user having recording auditor role assigned. Even HyWorks super-administrator users will be able to only view the list of recordings but will not be able to play it.

Follow the below steps to assign the role of recording auditor to user(s) or group(s) of users:

1. Navigate to the Users > Admin Users > Administrators

2. Click on Add Permission button

3. Wizard will get open and in the first tab, "Users/Groups" select users or groups

   1. Go to second tab Rolesand select Session Recording Auditor role.

4. Click on Save button to save the role assignments.

   1. All user(s) or member of group(s) added, can login into HyWorks management console and access Session Recording screen to view and play recorded files.

   2. For more details, on role assignments refer the How to assign Session Recording Auditor role to user/group section.

Note

• Only Super-admin Role users and Admin Role users have permission to view recording listing on grid.

Advance Settings

Advance Settings available on HyWorks Controller Management Settings > General > Advance Settings

Refer section for Advance Settings For Session Recordings (SRMS)